hostap + mac filtering

Bryan Kadzban bryan
Tue Sep 27 19:37:53 PDT 2005


Jouni Malinen wrote:
> madwifi is taking care of IEEE 802.11 authentication in the driver 
> and this is the normal location for MAC address filtering. In other 
> words, the part that takes care of this in hostapd is never run when 
> using madwifi.

With our old Orinoco APs, when we configured a MAC ACL, any MAC address
that wasn't allowed according to that list wasn't even allowed to
associate.  Sounds like those APs did that in the driver, too.  (They
used Atheros radios, but I don't know what OS.)

> or by doing this after the association as a not so clean solution
> (i.e., allow STA to associate, but then kick it out if it should not
> have been allowed in).

The aforementioned Orinoco APs also had a "MAC access control by RADIUS"
option (the Ciscos that we use now have the same thing), which works
similarly -- the AP allows anyone to associate, but if the RADIUS server
sends an Access-Reject, then that client can't pass traffic through the
AP.  Sounds vaguely similar to what you're considering here.

I wonder if a "MAC access control by RADIUS" feature would be helpful in
hostapd.  The Orinoco APs were configurable; the username was the MAC
address in one of 4 formats (xx.xx.xx..., xx-xx-xx..., xxxxxx-xxxxxx, or
one other one that I can't remember anymore), and the password was the
RADIUS shared secret.  The Cisco APs send a username of xxxxxxxxxx, and
the password is the same as the username.

If someone plans on doing this, they might as well come up with as many
username/password format options as possible, and make it configurable.
(And documented!  That was the biggest issue with both APs -- finding
out what they used for the password.  We had to sniff a RADIUS exchange,
then manually decode the password attribute.  Since we knew the shared
secret, and RADIUS's password attribute encryption is documented and
only depends on the shared secret, MD5, and XOR, we could do this.)

This isn't very secure (not nearly as secure as certificate or password
based authentication using 802.1x), but it doesn't require cooperation
from the STA, either.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://lists.shmoo.com/pipermail/hostap/attachments/20050927/8cf88fd2/attachment.pgp 



More information about the Hostap mailing list